Eclipse Community Forums
Forum Search:

Search      Help    Register    Login    Home
Home » Eclipse Projects » Buckminster » How to I specify an ssh key passphrase when using headless Buckminster?
How to I specify an ssh key passphrase when using headless Buckminster? [message #756211] Fri, 11 November 2011 08:58 Go to next message
Matthew Webber is currently offline Matthew Webber
Messages: 198
Registered: December 2010
Senior Member
When I materialize a certain CQuery into a new empty workspace, it needs to clone a remote git repository (the RMap tells it this). The remote repository is managed by gitolite, which uses keypair authentiaction (just like github).

My SSH private key has a passphrase.

When I perform the materialize using Buckminster within the Eclipse IDE, it pops up a dialog box asking me for my passphrase for my private key. I enter it, and the materialize proceeds successfully.

However, if I perform the materialize using headless Buckminster, i am never prompted for my passphrase for my private key. The materialize simply fails with:
ERROR [0001] : org.eclipse.jgit.api.errors.JGitInternalException: Exception caught during execution of fetch command

If I remove the passphrase from my private key, the materialize using headless Buckminster is successful.

Is there a way that I can materialize using headless Buckminster, while keeping the passphrase on my private key? I tried using ssh-add (to add the passphrase to the agent), but that did not help.

This is Linux with the latest Buckminster and everything,

Thanks
Matthew
Re: How to I specify an ssh key passphrase when using headless Buckminster? [message #756214 is a reply to message #756211] Fri, 11 November 2011 09:10 Go to previous messageGo to next message
Thomas Hallgren is currently offline Thomas Hallgren
Messages: 3214
Registered: July 2009
Senior Member
Hi Matthew,

There's no way to specify a passphrase when running headless. Then again, why would you want that? You're running
headless to avoid interaction so any passphrase would need to be stored in a file. The reason you have a passphrase in
the first place is to protect your private key from being compromised. Seems to me like storing a passphrase in a file
would render that protection useless.

I would recommend that you have a special purpose private key that you use for builds only and it should be without a
passphrase. We have no plans to provide support for entering passphrases in a headless Buckminster.

HTH,
Thomas Hallgren

On 2011-11-11 14:58, Matthew Webber wrote:
> When I materialize a certain CQuery into a new empty workspace, it needs to clone a remote git repository (the RMap
> tells it this). The remote repository is managed by gitolite, which uses keypair authentiaction (just like github).
>
> My SSH private key has a passphrase.
>
> When I perform the materialize using Buckminster within the Eclipse IDE, it pops up a dialog box asking me for my
> passphrase for my private key. I enter it, and the materialize proceeds successfully.
>
> However, if I perform the materialize using headless Buckminster, i am never prompted for my passphrase for my private
> key. The materialize simply fails with:
> ERROR [0001] : org.eclipse.jgit.api.errors.JGitInternalException: Exception caught during execution of fetch command
>
> If I remove the passphrase from my private key, the materialize using headless Buckminster is successful.
>
> Is there a way that I can materialize using headless Buckminster, while keeping the passphrase on my private key? I
> tried using ssh-add (to add the passphrase to the agent), but that did not help.
>
> This is Linux with the latest Buckminster and everything,
>
> Thanks
> Matthew
>
Re: How to I specify an ssh key passphrase when using headless Buckminster? [message #756219 is a reply to message #756214] Fri, 11 November 2011 09:33 Go to previous messageGo to next message
Matthew Webber is currently offline Matthew Webber
Messages: 198
Registered: December 2010
Senior Member
OK, understood.

The reason I was interested in passphrase support is that we would like developers to be able to check out a fresh workspace using the command line. So when I said "headless" I was not just thinking of an unattended build server, but also a user at a command line.

For new developers, I have a python script which downloads a zipped template workspace, unzips it, and calls headless buckminster to materialize a component. It's all very nice - the user can specify an short name for which of our products (and which version) they want, and the tools determines the correct CQuery and component name, and does it all.

It works, unless the SSH key has a passphrase ...!

Thanks anyhow
Matthew
Re: How to I specify an ssh key passphrase when using headless Buckminster? [message #756313 is a reply to message #756219] Fri, 11 November 2011 17:04 Go to previous messageGo to next message
Henrik Lindberg is currently offline Henrik Lindberg
Messages: 2498
Registered: July 2009
Senior Member
On 11/11/11 3:33 PM, Matthew Webber wrote:
> OK, understood.
>
> The reason I was interested in passphrase support is that we would like
> developers to be able to check out a fresh workspace using the command
> line. So when I said "headless" I was not just thinking of an unattended
> build server, but also a user at a command line.
>
> For new developers, I have a python script which downloads a zipped
> template workspace, unzips it, and calls headless buckminster to
> materialize a component. It's all very nice - the user can specify an
> short name for which of our products (and which version) they want, and
> the tools determines the correct CQuery and component name, and does it
> all.
>
> It works, unless the SSH key has a passphrase ...!
>
Have you looked at using something like ssh-agent
(http://en.wikipedia.org/wiki/Ssh-agent) - some useful tips at
http://help.github.com/ssh-key-passphrases/ and gory details here
http://www.unixwiz.net/techtips/ssh-agent-forwarding.html

In theory, this enables someone to give the passphrase to the agent so
subsequent usage does not require it.
I have no idea if a technique like that can be used in this case, but
perhaps worth looking into. BTW, on Mac, the ssh-agent is nicely
integrated with OSx.

- henrik
Re: How to I specify an ssh key passphrase when using headless Buckminster? [message #756341 is a reply to message #756313] Sat, 12 November 2011 03:50 Go to previous messageGo to next message
Thomas Hallgren is currently offline Thomas Hallgren
Messages: 3214
Registered: July 2009
Senior Member
On 2011-11-11 23:04, Henrik Lindberg wrote:
> Have you looked at using something like ssh-agent (http://en.wikipedia.org/wiki/Ssh-agent) - some useful tips at
> http://help.github.com/ssh-key-passphrases/ and gory details here http://www.unixwiz.net/techtips/ssh-agent-forwarding.html
>
> In theory, this enables someone to give the passphrase to the agent so subsequent usage does not require it.
> I have no idea if a technique like that can be used in this case, but perhaps worth looking into. BTW, on Mac, the
> ssh-agent is nicely integrated with OSx.
>
The same is true for Linux (Gnome keyring if you run Gnome) and on Windows I believe pageant will do this.

- thomas
Re: How to I specify an ssh key passphrase when using headless Buckminster? [message #756606 is a reply to message #756341] Mon, 14 November 2011 08:55 Go to previous messageGo to next message
Matthew Webber is currently offline Matthew Webber
Messages: 198
Registered: December 2010
Senior Member
I probably should have mentioned this in my original posting:

We use ssh-agent, and I did run ssh-add to provide my passphrase prior to invoking command line buckminster, and confirmed that it worked for normal ssh connections. Unfortunately, for buckminster this did not make any difference, the buckminster materialize still failed in the same way.

The way it's supposed to work (as far as I know) is that the ssh software should forward the key request to the agent software. I suspect the problem here is that the SSH software that buckminster uses is not the standard ssh software (is it some Java equivalent?), and maybe that doesn't talk to ssh-agent.

Matthew
Re: How to I specify an ssh key passphrase when using headless Buckminster? [message #756623 is a reply to message #756606] Mon, 14 November 2011 09:25 Go to previous messageGo to next message
Thomas Hallgren is currently offline Thomas Hallgren
Messages: 3214
Registered: July 2009
Senior Member
On 2011-11-14 14:56, Matthew Webber wrote:
> I probably should have mentioned this in my original posting:
>
> We use ssh-agent, and I did run ssh-add to provide my passphrase prior to invoking command line buckminster, and
> confirmed that it worked for normal ssh connections. Unfortunately, for buckminster this did not make any difference,
> the buckminster materialize still failed in the same way.
>
> The way it's supposed to work (as far as I know) is that the ssh software should forward the key request to the agent
> software. I suspect the problem here is that the SSH software that buckminster uses is not the standard ssh software (is
> it some Java equivalent?), and maybe that doesn't talk to ssh-agent.
>
I suspected as much. Jsch (the Java SSH solution that jgit use) has no clue about any SSH implementation provided by the
OS. I would be surprised if it integrates with the Eclipse IDE.

- thomas
Re: How to I specify an ssh key passphrase when using headless Buckminster? [message #799790 is a reply to message #756623] Thu, 16 February 2012 05:10 Go to previous messageGo to next message
Matt Biggs is currently offline Matt Biggs
Messages: 68
Registered: July 2009
Member
Matthew

Do you mind me asking how you managed to get around this? I've run into the exact same problem.

I can get buckminster to use a (temporary) anonymous read only git:// url, which works fine. If i use the IDE with ssh-agent setup it also works fine using the public/private keys with no password prompt.

But if i try to use headless it fails with the above mentioned exception. We're hoping to try out github for a private repo in the future which as far as i can tell uses ssh keys so using anonymous won't be possible.

How have people worked around this?

Re: How to I specify an ssh key passphrase when using headless Buckminster? [message #799828 is a reply to message #799790] Thu, 16 February 2012 06:03 Go to previous messageGo to next message
Thomas Hallgren is currently offline Thomas Hallgren
Messages: 3214
Registered: July 2009
Senior Member
On 02/16/2012 11:10 AM, Matt Biggs wrote:
> Matthew
>
> Do you mind me asking how you managed to get around this? I've run into the exact same problem.
> I can get buckminster to use a (temporary) anonymous read only git:// url, which works fine. If i use the IDE with
> ssh-agent setup it also works fine using the public/private keys with no password prompt.
>
> But if i try to use headless it fails with the above mentioned exception. We're hoping to try out github for a private
> repo in the future which as far as i can tell uses ssh keys so using anonymous won't be possible.
> How have people worked around this?
>
One way around this is to use SSH keys that do not require a pass-phrase.

- thomas
Re: How to I specify an ssh key passphrase when using headless Buckminster? [message #799831 is a reply to message #799828] Thu, 16 February 2012 06:09 Go to previous messageGo to next message
Matt Biggs is currently offline Matt Biggs
Messages: 68
Registered: July 2009
Member
Thanks Thomas, i'll try that.

Given that EGit does now indeed support ssh-agent and keys etc for use with github. And given that running buckminster in the IDE works fine. Is this a bug or are there any plans to support it in headless mode? I'm just trying to work out why it works in the IDE yet headless doesn't.

[Updated on: Thu, 16 February 2012 06:12]

Report message to a moderator

Re: How to I specify an ssh key passphrase when using headless Buckminster? [message #799839 is a reply to message #799831] Thu, 16 February 2012 06:20 Go to previous messageGo to next message
Thomas Hallgren is currently offline Thomas Hallgren
Messages: 3214
Registered: July 2009
Senior Member
On 02/16/2012 12:09 PM, Matt Biggs wrote:
> Thanks Thomas, i'll try that.
>
> Given that EGit does not indeed support ssh-agent and keys etc for use with github. And given that running buckminster
> in the IDE works fine. Is this a bug or are there any plans to support it in headless mode? I'm just trying to work out
> why it works in the IDE yet headless doesn't.

When you're using the IDE, does it prompt you for the pass-phrase? If not, where did you enter it?
Re: How to I specify an ssh key passphrase when using headless Buckminster? [message #799843 is a reply to message #799839] Thu, 16 February 2012 06:26 Go to previous messageGo to next message
Matt Biggs is currently offline Matt Biggs
Messages: 68
Registered: July 2009
Member
No, my PC is setup for use with ssh-agent. When i login for the first time to my pc i enter my passphrase on the command line. After that ssh-agent decrypts it and stores it safely. Until i log off, i never have to enter it again. The IDE seems happy with this, however headless buckminster appears to ignore it and i'm assuming still prompting for the passphrase and giving an exception instead.

I've just tried without passphrase and headless is happy, but i imagine this is less secure?
Re: How to I specify an ssh key passphrase when using headless Buckminster? [message #799845 is a reply to message #799843] Thu, 16 February 2012 06:27 Go to previous message
Matt Biggs is currently offline Matt Biggs
Messages: 68
Registered: July 2009
Member
Unless the IDE has cached it somewhere?? I've deleted my secure storage to test and the IDE still seemed happy.
Previous Topic:Buckminster 3.7 materialize doesn't materialize for other platforms (it did in 3.6)
Next Topic:multi-platform RCP build: from the PDE and headless
Goto Forum:
  


Current Time: Mon Jul 28 10:29:54 EDT 2014

Powered by FUDForum. Page generated in 0.03576 seconds